Last modified by melissargos on 2024/10/11 18:22
From version 19.1
edited by bschaffha
on 2024/10/10 13:54
Change comment: There is no comment for this version
To version 22.1
edited by bschaffha
on 2024/10/10 14:36
Change comment: There is no comment for this version

Summary

Details

Page properties
Content
... ... @@ -15,7 +15,7 @@
15 15  = What can I find here? =
16 16  
17 17  * Creation of a MIP User Account
18 -* The MIP Data Governance
18 +* MIP Data Governance
19 19  * MIP Data Flow
20 20  * MIP GDPR compliance assessment
21 21  
... ... @@ -54,7 +54,7 @@
54 54  
55 55  Upon login to the MIP, users are mandated to accept the Terms of Use of the MIP. Accredited users access the MIP through a web-based interface, which will provide them with access to the respective federation on the MIP.
56 56  
57 -== The MIP Data Governance ==
57 +== MIP Data Governance ==
58 58  
59 59  [[image:1728560441625-436.png]]
60 60  
... ... @@ -62,6 +62,19 @@
62 62  
63 63  //T(% class="small" %)his illustration depicts how data governance and data flow in the MIP are organised and how the legal framework and data management are interlinked. Decision points are indicated.//
64 64  
65 +(% style="color:#c0392b" %)//~*~*The **MIP Data Protection Impact Assessment (DPIA) **is currently under full revision and will become functional upon final approval by the CHUV DPO. Per Article 35(3)(b) of GDPR a Data Protection Impact Assessment is required whenever processing is likely to result in a high risk to the rights and freedoms of individuals and at least in the case of large-scale processing of sensitive data.//
66 +
67 +=== //MIP and data anonymisation// ===
68 +
69 +
70 +**Note**: (% style="color:#27ae60" %)**The MIP is handling anonymised data.**(%%) The definition for anonymisation (//ISO standard (ISO 29100:2011)//) of personal data is the process of encrypting or removing personally identifiable data from datasets so that a person can no longer be identified directly or indirectly (see also **Recital 26 of the GDPR)**. As soon a person cannot be re-identified the data is no longer considered personal data and the GDPR does not apply for further use.
71 +
72 +However, processing personal data **for the purpose to anonymise the data** is still processing that must have a **legal basis under Article 6 of GDPR**. The anonymisation process is what is known as “**further processing**”. As such the new processing must be compliant with the principle of purpose limitation. Most often, the legal basis of the controller’s/processor’s fulfilling contract or legitimate interest will apply, if the principles of collection, purpose, retention have been complied with.
73 +
74 +The process of anonymization can be used to improve data protection compliance in two main ways: i.e., as part of the “**privacy by design**” strategic work, with the goal to improve the protection of the processed data; or as part of the “**data minimisation**” strategy – where data can be anonymized and used without the risk of harming the data subjects.
75 +
76 +(% style="color:#27ae60" %)**Both strategies are followed by the MIP.**
77 +
65 65  === MIP concepts and definitions ===
66 66  
67 67  * **Common Data Elements (CDEs)**
... ... @@ -144,7 +144,7 @@
144 144  
145 145  (% style="color:#27ae60" %)**Data Transfers (Articles 44-50)**
146 146  
147 -The MIP ensures that any data transfers comply with GDPR’s requirements for international data transfers. This is achieved using DTAs and DSAs, ensuring that data transferred across borders is protected under equivalent data protection standards. If data is transferred, secure file transfer solutions are used
160 +The MIP ensures that any data transfers comply with GDPR’s requirements for international data transfers. This is achieved using DTAs and DSAs, ensuring that data transferred across borders is protected under equivalent data protection standards. If data is transferred, secure file transfer solutions are used.
148 148  )))
149 149  )))
150 150